Module: Sequel::Plugins::BlacklistSecurity::ClassMethods
- Defined in:
- lib/sequel/plugins/blacklist_security.rb
Instance Attribute Summary collapse
-
#restricted_columns ⇒ Object
readonly
Which columns are specifically restricted in a call to set/update/new/etc.
Instance Method Summary collapse
-
#set_restricted_columns(*cols) ⇒ Object
Set the columns to restrict when using mass assignment (e.g.
set
).
Instance Attribute Details
#restricted_columns ⇒ Object (readonly)
Which columns are specifically restricted in a call to set/update/new/etc. (default: not set). Some columns are restricted regardless of this setting, such as the primary key column and columns in Model::RESTRICTED_SETTER_METHODS.
22 23 24 |
# File 'lib/sequel/plugins/blacklist_security.rb', line 22 def restricted_columns @restricted_columns end |
Instance Method Details
#set_restricted_columns(*cols) ⇒ Object
Set the columns to restrict when using mass assignment (e.g. set
). Using this means that attempts to call setter methods for the columns listed here will cause an exception or be silently skipped (based on the strict_param_setting
setting). If you have any virtual setter methods (methods that end in =) that you want not to be used during mass assignment, they need to be listed here as well (without the =).
It’s generally a bad idea to rely on a blacklist approach for security. Using a whitelist approach such as set_allowed_columns or the instance level set_only or set_fields methods is usually a better choice. So use of this method is generally a bad idea.
Artist.set_restricted_columns(:records_sold)
Artist.set(:name=>'Bob', :hometown=>'Sactown') # No Error
Artist.set(:name=>'Bob', :records_sold=>30000) # Error
37 38 39 40 |
# File 'lib/sequel/plugins/blacklist_security.rb', line 37 def set_restricted_columns(*cols) clear_setter_methods_cache @restricted_columns = cols end |